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DETAILED ACTION 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not.be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-4, 6, 7, 15, 15, 19-23 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Pensak et al., US Patent No 6289450 (hereafter referred to as '450) 
in view of Kurn et al., US Pre-grant Pub No 20020071567 (hereafter referred to as 
'567). 

3. Astoclaim(s) 1, 11, 15, 19-23: 

'450 teaches a database storage and encrypted communications system comprising: 

• Receiving from a user a login request / User is logged into the remote server (Col 
8, Line 21, '450) 

• Login request includes identifier of user and supplementary data that may be 
used to authenticate the user / viewing users computer provides login and 
authentication information to the server (Col 8, Line 26, '450) 

• Verifying if the user is a registered user / server determines if viewing user is 
authorized to access the document segment (Col 8, Line 31, '450 
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• Receiving a request by the registered user for performing a data operation / 
application interface requests access to the document or information (Col 8, Line 
27, ( 450) 

• Operation together with a session ID known allocated to the user during login 
and known to the login server / Communicating the session ID of said user to the 
login server for identification / An SSL tunnel and session key are negotiated (Col 
8, Line 23, '450) 

• Decrypting encrypted password received form login server to derive password / 
user provides login and authentication information in encrypted SSL tunnel (Col 
8, Lines 23-26, '450), the database functions may be a distributed or shared 
database residing on multiple remote servers (Col 8, Line 63, '450) 

4. '450 does not teach for the server to store and use the encrypted private key of 
the registered user having said unique identifier using password. '567 teaches a 
remote database system storing a users private key encrypted by password based 
encryption (Page 5, Paragraph 0087, '567). It would have been obvious to a person of 
ordinary skill in the art at the time of invention to store and use the users private key on 
the database server as in '567 in the invention of '450. One of ordinary skill in the art 
would have been motivated to store and use the users private key on the database 
server as in '567 in the invention of ( 450 because storing the private key encrypted on 
the trusted database server defers the need to send the private key to the server for 
every session while maintaining a high level of security. 
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5. As to claim(s) 2,6: 

Supplementary data serves as said password / Using the supplementary data to 
generate said password / viewing computer provides login and authentication 
information (Col 8, Line 26, '450) database is password protected (Col 9, Line 1, ( 450) 

6. As to claim(s) 3, 7: 

Encrypting the password so as to generate an encrypted password / user provides login 
and authentication information in encrypted SSL tunnel (Col 8, Lines 23-26, ( 450) 
Sending the encrypted password to a login server coupled to data access server for 
storage / viewing computer provides login and authentication information to server (Col 
8, Line 26, '450) 

Data access server may access the password from the login server without storing it 
locally / the database may be a distributed or shard database residing on multiple 
remote servers (Col 8, Line 63, '450) 

7. As to claim(s) 4: 

Encrypted password sent to the login server is adapted for temporary storage for a 
current session only / login and authentication information (password) are encrypted 
under a session key and sent to server (Col 8, Line 24, '450) for current session. 
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8. Claim 5, 8-10, 12, 16-18 rejected under 35 U.S.C. 103(a) as being unpatentable 
over '450 in view of '567 in further view of "Group Sharing and Random access in 
Cryptographic Storage File Systems" (hereafter referred to as CSFS). 

As to claim(s) 5, 12: 

9. ( 450 as modified above teaches a distributed function multiple server database 
storage system and encrypted communications and storing and using private keys 
encrypted with passwords after a login. ( 450 as modified above does not teach to 
inform the login server upon termination of the current session to delete temporarily 
stored encrypted password. CSFS teaches an encrypted file system using temporary 
passwords to acquire encryption keys where the user enters the password each time 
the user logs in (Page 20, Line 12, CSFS). It would have been obvious to a person of 
ordinary skill in the art at the time of invention to use the once-per-login temporary 
password system of CSFS with the invention of '450 as modified above. One of 
ordinary skill in the art would have been motivated to use the once-per-login temporary 
password system of CSFS with the invention of '450 as modified above because it is 
easier on the user not to need to enter a password for each encryption operation. 

10. '450 as modified above does not teach for the database to delete the temporarily 
stored encrypted password upon termination of the current session. The examiner 
takes official notice as to deleting the temporarily stored encrypted password at upon 
termination of the current session. The temporarily stored password of CSFS is only 
needed during the current session, and it is a good secure disk management policy to 
delete temporary security data when it is no longer needed. It would have been obvious 
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to a person of ordinary skill in the art at the time of invention to delete the session 
password at the end of the user session. One of ordinary skill in the art would have 
been motivated to delete the session password at the end of the user session because 
deleting temporary security data as soon as it is no longer needed provides a greater 
level of security in that the password is less easily compromised once deleted. 

11. As to claim(s) 8, 14: 

Sending the unique identity of the user to the login server / User name provided to the 
remote server (Col 3, Line 63, '450) 

Receiving the password from the login server /the database functions may be a 
distributed or shared database residing on multiple remote servers (Col 8, Line 63, l 450) 

12. As to claim(s) 9: 

'450 as modified above teaches a distributed function multiple server database storage 
system and encrypted communications and storing and using private keys encrypted 
with passwords after a login. '450 as modified above does not teach for communication 
between servers to use encryption. '450 further teaches the use of encrypted SSL 
communication using public key techniques to transfer data from the server to the user. 
It would have been obvious to a person of ordinary skill in the art at the time of invention 
to use SSL for remote server-server communication as used in £ 450 for server-user 
communication. One of ordinary skill in the art would have been motivated to use SSL 
for remote server-server communication as used in '450 for server-user communication 
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because unencrypted remote communication across insecure networks can result in 
breaches of security. 

13. Astoclaim(s) 10: 

Generating a fingerprint of the password and comparing with a fingerprint stored in the 
user space associates with the registered user / SSL communication uses data hashing 
algorithms such as MD5 (Page 3, Line 6, Introduction to SSL) 

14. Astoclaim(s) 16, 17, 18: 

Decrypting the users encrypted password using login servers private key / An SSL 
tunnel is negotiated (Col 8, Line 23, '450) between user and server 
Encrypting using a temporary/session/periodically changed key stored in RAM and 
saving the password / password is re-encrypted for SSL transmission to remote 
distributed server under temporary SSL session key 

15. Claim 13 rejected under 35 U.S.C. 103(a) as being unpatentable over '450 in 
view of ( 567 in further view of CSFS in further view of "Manpage of TCSH". 

As to claim(s) 13: 

'450 as modified above teaches a distributed function multiple server database storage 
system and encrypted communications and storing and using private keys encrypted 
with passwords after a login and deleting temporarily stored encrypted passwords after 
logout. '450 does not teach for a user to be logged out after a timeout period. Manpage 
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of TCSH teaches a Unix shell that logs off a user after a predetermined time (Page 2, 
Item 9, Manpage of TCSH). It would have been obvious to a person of ordinary skill in 
the art at the time of invention to use the automatic logoff after a period of idle time as in 
"Manpage of TCSH" in the invention of '450 as modified above. One of ordinary skill in 
the art would have been motivated to use the automatic logoff after a period of idle time 
as in "Manpage of TCSH" in the invention of '450 as modified above because using an 
idle timeout helps users logout if they become unable to by normal means such as in 
the event of a break in connection etc. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jonathan R Adams whose telephone number is 
(571 )272-3832 after 10/04. The examiner can normally be reached on Monday - Friday 
from 10am to 6pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse, can be reached on (703) 308-4789. The fax phone number 
for the organization where this application or proceeding is assigned is (703) 872-9306. 
Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 305-3900. 
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